Hackers Use New .NET Loader Malware to Deliver Wide Range of Payloads
An unrecorded .NET Loader became identified all the draw by means of routine menace hunting that downloads, decrypts, and executes a wide sequence of malicious payloads.
Multiple menace actors extensively disbursed this novel loader in early June 2023 by means of the next mediums:-
- Malicious phishing emails
- Incorrect YouTube movies
- Incorrect web sites mimicking expert web sites
The cybersecurity researchers at Sekoia identified this novel .NET loader and named this newly found loader malware “CustomerLoader.”
Safety analysts appointed this title attributable to its Uncover and Shield watch over (C2) communications containing the time duration “customer” and its loading functionalities.
.NET Loader to Bring Payloads
CustomerLoader completely retrieves dotRunpeX samples, which in flip insist a various fluctuate of malware families luxuriate in:-
- Infostealers
- Faraway Entry Trojans (RAT)
- Commodity ransomware
In March 2023, the safety experts at Checkpoint publicly documented dotRunpeX as a .NET injector that is equipped with extra than one anti-prognosis ideas.
The affiliation between CustomerLoader and an undisclosed Loader-as-a-Provider is extremely possible.
The dotRunpeX developer might just contain added CustomerLoader as a stage sooner than the injector is performed.
CustomerLoader samples make explain of extra than one code obfuscation ideas, disguising themselves as expert apps. This slows down and extends the prognosis, possible attributable to simple-to-explain .NET code obfuscation instruments.
Alternatively, there are various such instruments that are accessible by means of NotPrab/.NET-Obfuscator GitHub repository, even for non-experts as effectively.
CustomerLoader makes explain of AES in ECB mode for string obfuscation, with the decryption key kept in plaintext for the duration of the PE.
CustomerLoader evades detection by patching the AmsiScanBuffer unbiased in amsi.dll, returning AMSI_RESULT_CLEAN to bypass antivirus. This marks the buffer as neat and permits the stable execution of malicious payloads.
The loader executes the consumer payload following this project:-
- From an embedded URL, an HTML web page is downloaded by the CustomerLoader.
- An encoded base64 string is extracted the utilization of regex: “/!!!(.*?)!!!/”
- Then the base64 string is decoded and decrypted by it.
- Then the payload is performed in memory the utilization of the reflective code methodology.
The fashion of code reflection is obfuscated by shuffling, enabling the loading of .NET capabilities the utilization of the next unbiased:-
- NewLateBinding.LateGet
The encrypted payloads are retrieved by the CustomerLoader samples from their C2 server, with each payload linked to a obvious customer ID that is hosted at:-
- hxxp://$C2/customer/$ID
The CustomerLoader samples had been directly connected to C2 server IP 5.42.94[.]169 by means of HTTP between 31 Can also just and 20 June 2023. While the C2 server switched to the domain kyliansuperm92139124[.]sbs and HTTPS, stable by Cloudflare on 20 June 2023.
The domain acts as a proxy, whereas the backend server stays 5.42.94[.]169. This C2 server adjustments possible goals to evade community detections and hinder security researchers’ prognosis, in step with Sekoia.io analysts.
Malware Families Distributed
Here under now we contain talked about the entire malware families that are disbursed by CustomerLoader:-
- Redline
- Formbook
- Vidar
- Stealc
- Raccoon
- Lumma
- StormKitty
- AgentTesla
- DarkCloud
- Kraken Keylogger
- AsyncRAT
- Quasar
- Remcos
- XWorm
- njRAT
- WarzoneRAT
- BitRAT
- NanoCore
- SectopRAT
- LgoogLoader
- Amadey
- Variant of WannaCry
- TZW ransomware
CustomerLoader distributes the next malware families, each associated with a obvious various of queer botnets:-
- Redline: over 80 botnets
- Quasar: Forty five botnets
- Vidar: 9 botnets
- Remcos: 6 botnets
- Stealc: 4 botnets
- Formbook: 4 botnets
CustomerLoader, when mixed with the dotRunpeX injector, enhances compromise rates by reducing the detection of the final payload, despite lacking superior ideas.
IoCs
- hxxp://smartmaster.com[.]my/48E003A01/48E003A01.7z: Payload transport URL
- d40af29bbc4ff1ea1827871711e5bfa3470d59723dd8ea29d2b19f5239e509e9: Archive
- 3fb66e93d12abd992e94244ac7464474d0ff9156811a76a29a76dec0aa910f82: CustomerLoader payload
- hxxp://5.42.94[.]169/customer/735: CustomerLoader’s C2 URL
- hxxps://telegra[.]ph/Stout-Version-06-03-2: Malicious redirection webpage
- hxxps://tinyurl[.]com/bdz2uchr: Shortened URL redirecting to the payload transport URL
- hxxps://www.mediafire[.]com/file/nnamjnckj7h80xz/v2.4_2023.rar/file: Payload transport URLs
- hxxps://www.mediafire[.]com/file/lgoql94feiic0x7/v2.5_2023.rar/file: Payload transport URLs
- 65e3b326ace2ec3121f17da6f94291fdaf13fa3900dc8d997fbbf05365dd518f: Archive
- 7ff5a77d6f6b5f1801277d941047757fa6fec7070d7d4a8813173476e9965ffc: Archive
- c05c7ec4570bfc44e87f6e6efc83643b47a378bb088c53da4c5ecf7b93194dc6: CustomerLoader payload
- hxxp://5.42.94[.]169/customer/770: CustomerLoader’s C2 URL
- Forty five.9.74[.]99: Raccoon stealer’s C2
- 5.42.65[.]69: Raccoon stealer’s C2
- hxxps://slackmessenger[.]keep/: Malicious webpage impersonating Slack web sites
- hxxps://slackmessenger[.]pw/slack.zip: Payload transport
- 695f138dd517ded4dd6fcd57761902a5bcc9dd1da53482e94d70ceb720092ae6: Archive
- b8f5519f7d66e7940e92f49c9f5f0cac0ae12cc9c9072c5308475bd5d093cdca: CustomerLoader payload
- hxxp://5.42.94[.]169/customer/798: CustomerLoader’s C2 URL
- missunno[.]com:80: Redline stealer’s C2
Source credit : cybersecuritynews.com